safe_timer_diff is unsafe under wrapping
safe_timer_diff is meant to avoid overflow (or perhaps negative return values) but doesn't. (It was introduced to tor 0.2.8.0-alpha-dev in #3199 (moved).)
For example:
- safe_timer_diff(INT_MIN, INT_MAX) returns -1 on a system where TIME_T_IS_SIGNED. It should return a (clipped) value representing the largest integer difference possible, such as INT_MAX.
I'm sure there are equivalent issues where TIME_T_IS_UNSIGNED, but I can't think of any right now.